The Hacker News — Cyber Security, Hacking, Technology News

Security researchers from MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), have discovered a major security vulnerability in the latest version of Facebook SDK that put millions of Facebook user's Authentication Tokens at risk.

Facebook SDK for Android and iOS is the easiest way to integrate mobile apps with Facebook platform, which provides support for Login with Facebook authentication, reading and writing to Facebook APIs and many more.

Facebook OAuth authentication or ‘Login as Facebook’ mechanism is a personalized and secure way for users to sign into 3rd party apps without sharing their passwords. After the user approves the permissions as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow to retrieve the secret user’s access token required by the apps to call Facebook APIs to read, modify or write user's Facebook data on their behalf.

ACCESSING UNENCRYPTED ACCESS TOKEN

It is important that your secret token is never shared with anyone, but researchers found that Facebook SDK Library stores it in an unencrypted format on the device’s file system, which can be accessed easily even on a non-rooted Android or jailed iOS Device.

“With just 5 seconds of USB connectivity, Access token is available on iOS via juice jacking attack, no jailbreak needed and on Android file system, it can be accessed via recovery mode which is tricker and require more time.” Chilik Tamir, Chief architect for MetaIntell told The Hacker News.

THREAT FROM OTHER APPS

Moreover, any 3rd party smartphone application with permission to access device file system can read this file and able to steal users’ Facebook access tokens remotely, he said.

Researchers published a Youtube video, demonstrating the reported vulnerability in one of the most popular messaging application ‘VIBER’ for iOS.

All those iOS and Android apps are vulnerable to this attack, who are using Facebook SDK for app login and storing users unencrypted access token on the device, Chilik Tamir told The Hacker News in an email.

“MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of these apps.” researcher said in a blog post.

PASSIVE RESPONSE FROM FACEBOOK SECURITY TEAM

MetaIntell team has already informed Facebook Security team about the vulnerability, but it seems that Facebook is not in any mood to update their SDK with a fix.

“I followed up with our Platform team to see if there were any changes they wanted to make here: - On the Android side we've concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. - On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.” Facebook replied to MetaIntell after bug report.

WHAT TO DO?

Mobile app users are advised to do not use ‘Facebook Login’ option within Mobile apps and disallow apps to use their Facebook login. App Developers are recommended to move their users’ access tokens from device file system to secure online storage with encrypted channel.

Google’s Android operating system may be open source, but the version of Android that runs on most phones, tablets, and other devices includes proprietary, closed-source components.

Phone makers, including Samsung ships its Smartphones with a modified version of Android, with some pre-installed proprietary software and because of lack in independent code review of those closed-source apps, it is complex to authenticate its integrity and to identify the existence of backdoors.

Paul Kocialkowski, the developers of the Replicant OS has uncovered a backdoor pre-installed on Samsung Galaxy devices and the Nexus S, that provides remote access to all the data in the device.

Replicant OS is an open source operating system based on the Android mobile platform, which aims to replace all proprietary Android components with their free software counterparts.

In a blog post, He explained that Samrtphones come with two separate processors, one for general-purpose applications processor that runs Android OS and the other one known as the Modem, responsible for communications with the mobile telephony network.

The Researcher found that a Samsung's IPC protocol runs in the background, which is bound to the communications processor, and allows the modem to remotely read, write, and delete files on the user's phone storage. Samsung IPC protocol, implements a class of requests, known as RFS commands, that allows the modem to perform remote I/O operations on the phone’s storage.

"The spying can involve activating the device's microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator's network, making the backdoor nearly always accessible."

This backdoor might have been placed there accidently, but remote ability of modifications to the user’s personal data without user knowledge poses a serious threat.

"It is possible to build a device that isolates the modem from the rest of the phone, so it can't mess with the main processor or access other components such as the camera or the GPS."

"The incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a backdoor." he said.

"However, some RFS messages of the Samsung IPC protocol are legitimate (IPC_RFS_NV_READ_ITEM and IPC_RFS_NV_WRITE_ITEM) as they target a very precise file, known as the modem's NV data." he added.

Smartphone manufacturers are adding ways for owners to track and manage their phones if they ever get lost or stolen. Find My iPhone is a service that comes with every iOS device that allows you to track your iPhone, whether it was lost or stolen.

Normally, the iPhone requires a password if you want to deactivate “Find My iPhone”, but it isn’t entirely perfect and thieves are now smart enough to disable 'Find My iPhone' on devices running iOS 7.0.4 and lower version, without having to enter a password.

The exploit was discovered and demonstrated security researcher 'Bradley Williams' and performing a successful bypass means you won’t be able to locate, make sound and wipe out.

The vulnerability could put the devices at risk, and the exploitation method involves a few simple steps that involve making changes in the iCloud settings, even if they don’t know the password.

Steps to hack 'Find My iPhone':

Navigate to iCloud in the settings.

Select your account.

Change the password to an incorrect one, then taps Done.

When display 'wrong password' warning, Tap OK and then tap Cancel.

Reselect your account.

Empty the description field and then press Done.

You will notice Find My iPhone is now toggled off.

The exploitation also requires physical access to the device, and then only works if the user hasn't set a passcode or enabled the iPhone 5S fingerprint-based Touch ID system and hackers are not able to reproduce it iOS 7.1 beta version, that means the flaw will be fixed in the next iOS update, which is expected to hit the devices in March.

Users are recommended to activate Apple’s device Lock system, which blocks a thief from erasing and re-activating a stolen phone unless they enter your Apple ID and password.

A team of Researchers at Rutgers University has developed
an Android application which will notify you every time, whenever an
app installed on your Smartphone accesses the GPS functionality.

Smartphone is a multipurpose device, having features of both a mobile phone and a computer, allowing us to talk, text, access personal and official e-mail, browse the Internet, make purchases, manage bank accounts, and take pictures.

Smartphone also help you to find the way to your destination using GPS (Global Positioning System) technology. Unlike many of our computers, our Smartphones are always with us and many of us rarely turn them off, that means your Smartphone even can be abused to track your real time location on the map.

There are many legitimate applications which need your location in order to function properly and to enhance the app features, for example- Zomato app can give the list of all restaurants near you, WeChat like social messaging apps allows you to get the list of all users available near your location for chatting and dating and Facebook gives you a check-in facility so that you can share a place you are visiting.

Who would be interested in knowing your location? Parents, Companies, advertisers, cyber-criminals and in some situations, federal agencies. For an app with GPS location permission, it is very easy to locate your real time location and transmit the Latitude-Longitude data periodically to the app-maker.

It is already known to us that any application which has permission of accessing the location service can capture the device GPS location anytime in the background, without user interaction.

The Security app developed by the researchers will flash a notification message on the device screen that "Your location is being accessed by [app name]", as shown:

They have used a method called,'Heuristic Discovery of Location Access' which will calculate changes in the value of 'getLastKnownLocation' variable by any GPS enabled app to detect them.

"As it turns out, there is no obvious way for a normal Android app to monitor whether other apps are accessing location. However, we discovered we could exploit the method getLastKnownLocation available in the Android Location API for this purpose as an effective side channel."

But at this point, it is not clear that how much this app is accuratly able to catch the 'Location accessing' apps and the method they have mentioned could be limited to the foreground applications (the apps with a user is interacting at that time) only, rather than detecting apps while accessing your location silently in the background.

According to a study, 74% of Smartphone users use a location based service like Facebook, Whataspp, Snapchat etc. Such Security applications with detection features are the demand of time so that users can keep an eye on each and every event to protect their privacy. The app should be available on Google Play within the next two months.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Snapchat suffered a massive data breach back in December in which 4.6 million usernames and phone numbers were compromised.

Earlier this month, the company launched an update to its iOS and Android apps, added a new security measure to ensure that new users aren't spambots or a robot. While signing up for the first time, it now displays nine images and then ask you to pick which images have a “ghost”.

Within 24 hours of Snapchat releasing an improved security feature, a developer has written a computer program capable of cracking it.

Another hacker, 'Steven Hickson' took only 30 minutes to write a script that can crack this new security feature. In this CAPTCHA feature, basically have you choose from amongst a bunch of images, identifying the ones that have the Snapchat ghost to prove you are a person.

"The problem with this is that the Snapchat ghost is very particular. You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision."

He wrote a script that can map out the exact shape of the Snapchat by matching it with the templates. Basically, he took an image of Snapchat's logo, then built a program that can identify certain points on the logo and match them to the images in the test.

He was able to effectively bypass Snapchat's test with 100 percent accuracy. "There is a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing."

China has always tried to support its homegrown tech industry and even the security concerns over U.S. secret surveillance which gives Chinese Government another reasons to trust domestic vendors.Many other countries are also in favor to develop their own technology industries to reduce their dependence on U.S.

The Government of China is not too fond of foreign mobile operating systems and therefore are trying to break the monopoly of Microsoft, Apple and Google in the country.

This week at an event in Beijing, China has unveiled its own Linux-based mobile platform, dubbed China Operating System (COS), developed as a joint effort between a company 'Shanghai Liantong', ISCAS (Institute of Software at the Chinese Academy of Sciences) and the Chinese Government.

According to COS website, it is designed for PCs, Smartphones, tablets, TVs, set-top boxes and other smart appliances. It runs Java applications, supports HTML5 and can run over 100,000 apps.

At the launch event, the head of the ISCAS criticized Apple’s iOS for being a closed ecosystem, Android for its fragmentation issues, and Windows Phone for its poor security.

According to the promo video, the China Operating System (COS) interface and functions are much like Android, specifically very similar to HTC’s Sense 5.

However, many Chinese users are criticizing this operating system on social media sites, “What does COS stand for? COPY OTHER SYSTEM?… But it really does look like a fusion of the Apple, Android, Symbian, and Blackberry operating system,”

Another user commented, "It’s not open source because they’re terrified that others will see that the source code is the same as Android, and accuse them of cheating the government out of money,"

Four years back, China once tried to create its own Linux-based, open mobile operating system called "OPhone or OMS (Open Mobile System)", but it was failed to gain popularity and discontinued after 2011.

Well, do you think, China is competing with the NSA over spying ability with a motto to leave room for backdoors or to defend themselves from NSA surveillance programs.

After the exposure of various surveillance programs, including PRISM, XKeyscore, MUSCULAR, DROPOUTJEEP in recent revelation, NSA has come up as the only ‘Government that Actually Listen’.

Another day and here comes another revelation - According to the The Guardian, National Security Agency (NSA) has collected almost 200 million text messages per day from across the globe and is using them to extract data including location, contact networks and even credit card details.

The two names that come in the limelight are, DISHFIRE that collects “pretty much everything it can”and PREFER that conducted automated analysis of the untargeted communications.

The program was designed to collect the text messages automatically from various service providers, to pull the details of financial transactions, roaming charges, delayed flights, missed calls and scheduled alerts, address book contacts, credit cards, bank accounts and visited locations.

Now If I am not wrong the word ‘Untargeted’ precisely mean that the NSA is literally just nabbing up whatever it can. The untargeted data collected in a day was apparently so large that it needs to be analyzed automatically.

So the NSA came up with another program called “PREFER” as an automated tool to scan the data. The documents describe this data as “content-derived metadata”, and explains that “such gems are not in current metadata stores and would enhance current analytics”.

According to the report, British Spy agency GCHQ was given access by the NSA to search the collected "metadata" of “untargeted and unwarranted” communication i.e. The information about the text messages was given, but not the actual contents of British citizens.

Stats per day:

More than 5 million missed-call alerts, for use in contact-chaining analysis (working out someone's social network from who they contact and when)

Details of 1.6 million border crossings a day, from network roaming alerts

More than 110,000 names, from electronic business cards, which also included the ability to extract and save images

Over 800,000 financial transactions, either through text-to-text payments or linking credit cards to phone users

In the statement to The Guardian, NSA's spokeswoman admitted and assured that the information collected was fully accidently and stated:

“Dishfire is a system that processes and stores lawfully collected SMS data. Because some SMS data of US persons may at times be incidentally collected in NSA's lawful foreign intelligence mission, privacy protections for US persons exist across the entire process concerning the use, handling, retention, and dissemination of SMS data in Dishfire.”

The revelation comes a day before U.S. President Barack Obama is scheduled to announce reforms to NSA programs, prompted by disclosures from Snowden.

The President will speak to the issue on Friday. We will post the updates, as available. Stay tuned to #THN.

Big and Good news for all of us. A federal court judge 'Richard J. Leon' said that he believes, US National Security Agency’s (NSA) controversial practice of routinely collecting the telephone records of millions of Americans likely violates the 4th Amendment and is unconstitutional, even though the FISA court approved it.

Earlier in 2013, a conservative Legal Activist Larry Klayman filed a lawsuit against the US government, alleging that NSA’s massive telephone surveillance program violates the "reasonable expectation of privacy, free speech and association, right to be free of unreasonable searches and seizures and due process rights."

NYTimes reported that last Monday in the decision, Judge has ordered [ Case: Klayman v. Obama (13-851) PDF File ] the NSA to stop collecting U.S. Citizen’s Telephone records, and to destroy the files it already holds.

This was the first major court ruling about NSA' so-called metadata counter terrorism program after Edward Snowden revealed the massive phone record collection in June.

Judge Leon said “the Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time-sensitive in nature.”

“Program infringes of ‘that degree of privacy’ that the Founders enshrined in the Fourth Amendment.” Judge Leon concludes that “the author of our constitution, James Madison…would be aghast.”

But the judge added, “I hereby give the Government fair notice that should my ruling be upheld, this order will go into effect forthwith.”

Edward Snowden statement:

“I acted on my belief that the N.S.A.’s mass surveillance programs would not withstand a constitutional challenge, and that the American public deserved a chance to see these issues determined by open courts. Today, a secret program authorized by a secret court was, when exposed to the light of day, found to violate Americans’ rights. It is the first of many.”

A former Guardian journalist Glenn Greenwald tweeted, “If someone discloses a secret govt program that a Federal Court rules violates the Constitution, that person's a whistleblower, right?”

The Internet metadata collection was excluded from this ruling because Director of National Intelligence James Clapper had told that domestic collection of Internet metadata had ended in 2011.

Just after this Ruling, President Barack Obama planned to meet bosses of tech giants On Tuesday, including Apple, Facebook, Google and Twitter to discuss US spy agency surveillance.

“The meeting will also address national security and the economic impacts of unauthorized intelligence disclosures,” a White House official said.

Android platform is a primary target for malware attacks from few years and during 2013, more than 79% of mobile operating malware threats are taking place on Android OS.

I have been working on Android Malware architectures since last two years and created 100's of sample of most sophisticated malware for demo purpose.

Till now we have seen the majority of Android malware apps that earn money for their creators by sending SMS messages to premium rate numbers from infected devices.

Security researchers at Lookout identified an interesting monetized Android Malware labeled as 'Mouabad', that allow a remote attacker to make phone calls to premium-rate numbers without user interaction from C&C servers by sending commands to the malware.

The technique is not new, but infection from such app notified first time in the wild. The variant dubbed MouaBad.p., is particularly sneaky and to avoid detection it waits to make its calls until a period of time after the screen turns off and the lock screen activates.

"Mouabad.p also end the calls it makes as soon as a user interacts with their device (e.g. unlocks it). However, this malware variant does not appear to have the ability to modify call logs so a discerning victim could uncover Mouabad.p’s dialing activity by checking their call histories."

Risk of infection is low, because the malware app works only on devices running Android version 3.1 or old and designed to mainly target Chinese-speaking users.

"Mouabad.p and other trojans that can financially harm users and effectively hide themselves underscore the need for sophisticated mobile malware protection."

Android architecture loophole contributes to the growth of Android malware. It basically can't identify the difference between a legit app i.e. Taking permissions to read your Contacts or SMS (i.e. True Caller), or a malicious applications (i.e. Trojans), or state-sponsored applications (i.e. WeChat). Neither Android architecture allows users to revoke the list of permissions they don't want to give to an application.

For now, If you own a Smartphone, I highly recommend you to install applications only from some trusted App Store i.e. Google Play.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Earlier this year, in the month of July it was first discovered that 99% of Android devices are vulnerable to a flaw called "Android Master Key vulnerability" that allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the device.

The vulnerability was also responsibly disclosed to Google back in February by Bluebox and but the company did not fix the issue even with Android 4.3 Jelly Bean. Later, Google has also modified its Play Store’s app entry process so that apps that have been modified using such exploit are blocked and can no longer be distributed via Play.

Security researcher Jay Freeman has discovered yet another Master Key vulnerability in Android 4.3, which is very similar to the flaw reported by Android Security Squad in July.Jay Freeman, perhaps better known as Saurik for Cydia Software, an application for iOS that enables a user to find and install software packages on jailbrokeniOS Apple devices such as the iPhone.

He demonstrated the flaw with a proof of concept exploit, written in Python language.

On Android, all applications are signed by their developers using private cryptographic keys; it is by comparing the certificates used to verify these signatures that Android's package manager determines whether applications are allowed to share information, or what permissions they are able to obtain.

Even the system software itself is signed by the manufacturer of the device and the applications signed by that same key are thereby able to do anything that the system software can.

Like the previous master key bugs, Saurik's exploit allows a hacker to gain complete access to your Android device via a modified system APK, with its original cryptographic key being untouched.

This way the malware can obtain full access to Android system and all applications (and their data) with dangerous system permissions.

Users are advised to download apps or app updates only from trusted sources, preferably from official sources or app stores. Saurik has also updated his Cydia Impactor for Android to include a patch for this bug.

Recently, the source code for Android 4.4 was released in Android Open Source Project, which included a patch for all previously known Android Master Key vulnerabilities.

Update: We have updated the story, and made some correction after Saurik comment, 'the bug I am describing is a bug in Android 4.3, not Android 4.4. The fix for it was included in the code release for Android 4.4, and since it is now disclosed there is no harm to the open device community to describe the bug in public; devices that currently have no exploit are there by now exploitable.'

A very profitable line for mobile malware developers is Android Banking Trojans, which infect phones and steal passwords and other data when victims log onto their online bank accounts.

One recent trend is Android malware that attacks users in specific countries, such as European Countries, Brazil and India.

The Antivirus software maker Malwarebytes noticed that a new threat distributed via file sharing sites and alternative markets in the last few months, targets Korean users.

Dubbed as 'Android/Trojan.Bank.Wroba', malware disguises itself as the Google Play Store app and run as a service in the background to monitor events.

"This enables it to capture incoming SMS, monitor installed apps and communicate with a remote server."

According to the researcher, after installation - malware lookup for existence of targeted Banking applications on the device, remove them and download a malicious version to replace.

"The malicious version will contain the exact Package Name and look very similar to the legitimate app, but contains malicious code with no banking functionality."

The attackers aim to obtain login credentials giving them access to the victim’s bank account and that second installed fake Banking application will capture the banking information and other useful data to generate revenue for them.

Android wouldn't be the only mobile operating system at risk from such automated exploits. Recently launched Firefox Mobile OS also have its first mobile Malware surfaced a few days back.

A Security researcher discovered a critical privacy vulnerability on Verizon Wireless’s Web-based customer portal that allows anyone to download user’s SMS History and Numbers of other users he communicated with.

Back in August, researcher 'Cody Collier' found that a simple URL exploit could allow any subscriber to extract data using 'Download to SpreadSheet' function.

To exploit, an attacker only needs to modify the subscriber’s phone number in the URL and this would give an attacker access to the SMS history to the targeted account.

Where variable 'mtn' within the URL defines the mobile number and an attacker just need to modify this. "Message details consist of: Date, Time, To, From, and Direction an SMS or MMS took place. With no user interaction, all that was required was a subscriber's phone number." he explained.

There were no safeguards to ensure that the person downloading the spreadsheet owned that number, potentially exposing tens of millions of Verizon customer contact lists and texting habits.

As Verizon's site doesn't offer any direct contact info to report vulnerabilities, so he finds someone on LinkedIn who had forwarded his request to Verizon's corporate security.

Now Verizon has created a dedicated email contact, CorporateSecurity@verizonwireless.com, to field these security issues.

We are also trying to reach Verizon for comment on this serious Privacy issue and will update should we hear back.

Firefox OS is a mobile operating system based on Linux and Mozilla’s Gecko technology, whose environment is dedicated to apps created with just HTML, CSS, and JavaScript.

After almost two years of development, a few months back Mozilla officially launched their Firefox OS devices in stores and now the first Malware for the brand new platform is available.

Shantanu Gawde, 17-years-old, an Independent Security Researcher is going to demonstrate the very first known malware for Firefox OS at the upcoming Information Security Summit - The Ground Zero (G0S) 2013, to be held on November 7th - 10th, 2013 at The Ashok, New Delhi.

Firefox OS is different - Every app in Firefox OS including the Camera and the Dialer is a web app, i.e. a website in the form of an app. Simple! Mozilla has developed Web APIs so that HTML5 apps can communicate with the device’s hardware and Shantanu has used the same APIs intentionally to exploit the device for malicious purpose.

Basically, there are two types of Firefox OS apps: packaged and hosted. Packed apps are essentially a zip file containing all of of an apps assets: HTML, CSS, JavaScript, images, manifest, etc.

Hosted apps are just a website is the application, means you can host the app on a publicly accessible Web server, just like any other website.His demonstration will showcase the malware app developed by him using just HTML, CSS, and JavaScript, and capability to perform many malicious tasks remotely on the device i.e. Accessing SD Card Data, Stealing Contacts, downloading-uploading Files on device, Tracking Geological location of the user etc.

"The purpose of the PoC is of course to motivate developers to ensure better security on their platforms rather than providing inspiration to those with malicious intents." he told 'The Hacker News'.

The rapid growth and evolution of mobile malware is swiftly becoming a highly profitable business for cybercriminals. According to the third annual Mobile Threats Report from Juniper Networks, mobile malware threats have grown a huge 614% in the period March 2012 to March 2013.

With mobile malware on the rise and attackers becoming increasingly clever and they are also targeting every possible new platform. Make sure you will be at Ground Zero this year to see live threat to one of the prominent upcoming mobile operating systems.

Update : A Mozilla spokesperson provided the following statement: "We are aware of plans to demonstrate a malware app able to perform malicious tasks on the Firefox OS phone. Such attacks usually rely on developer mode functionality, which is common to most Smartphones but disabled by default. In addition, we believe this demonstration requires the phone to be physically connected to a computer controlled by the attacker, and unlocked by the user."

A serious vulnerability in WhatsApp allows anyone who is able to eavesdrop on WhatsApp connection to decrypt users' messages.

Whatsapp, the mobile application for instant messaging platform has become one of the main communication tools of the present day and its popularity makes it attractive for security researchers and hackers.

This time it is debated in the protection of the messages exchanged through the application, thanks to a vulnerability in the crypto implementation they can be intercepted by an attacker.

Thijs Alkemade is a computer science student at Utrecht University in The Netherlands who works on the open source Adium instant messaging project, during its research activity he disclosed a serious issue in the encryption used to secure WhatsApp messages.

In the post titled "Piercing Through WhatsApp’s Encryption" Alkemade remarked that Whatsapp has been plagued by numerous security issues recently, easily stolen passwords, unencrypted messages and even a website that can change anyone’s status.

"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but expect to stop using it until the developers can update it." states the researcher.

An attacker sniffing a WhatsApp conversation is able to recover most of the plaintext bytes sent, WhatsApp uses RC4 software stream cipher to generate a stream of bytes that are encrypted with the XOR additive cipher.

The mistakes are:

The same encryption key in both directions

The same HMAC key in both directions

Below the trick used by the researcher to reveal the messages sent with WhatsApp exploiting first issue:

WhatsApp adopts the same key for the incoming and the outgoing RC4 stream, "we know that ciphertext byte i on the incoming stream xored with ciphertext byte i on the outgoing stream will be equal to xoring plaintext byte i on the incoming stream with plaintext byte i of the outgoing stream. By xoring this with either of the plaintext bytes, we can uncover the other byte."

The technique doesn't directly reveal all bytes but works in many cases, another element that advantage the attacker is that messages follow the same structure and are easy to predict starting from the portion of plaintext that is disclosed.

The second issue related to the HMAC id more difficult to exploit, Alkemade said WhatsApp also uses the same HMAC key in both directions, another implementation error that puts messages at risk, but is more difficult to exploit.

The MAC is used to detect data alteration but it is not enough to detect all forms of tampering, the attacker potentially could manipulate any message.

"TLS counters this by including a sequence number in the plaintext of every message and by using a different key for the HMAC for messages from the server to the client and for messages from the client to the server. WhatsApp does not use such a sequence counter and it reuses the key used for RC4 for the HMAC."

Alkemade is very critical to the development team of the popular platform:

“There are many pitfalls when developing a streaming encryption protocol. Considering they don’t know how to use a xor correctly, maybe the WhatsApp developers should stop trying to do this themselves and accept the solution that has been reviewed, updated and fixed for more than 15 years, like TLS,” he said.

I agree with the thinking of the researcher, security for applications such as WhatsApp is crucial given its level of penetration, it is true that the interest of the scientific community and cybercrime will surely lead them to discover new vulnerabilities to which WhatsApp have to provide a quick solution.

Alkemade confirmed that there is no remediation for the flaw in this moment, that's why he suggest to stop using WhatsApp until developers produce a patch.

If you're unlucky enough to lose your Smartphone or have it stolen, anyone who finds the device will also be able to access any content stored on the device, whether its contacts, music or documents.

But by implementing a SIM card PIN lock, everytime the device is powered down and subsequently switch back on again, the PIN will need to enter before the phone can be used.

Security Researcher - Benjamin Kunz Mejri fromVulnerability Laboratory claimed that he found a new vulnerability in the iOS v7.0.1 & v7.0.2, that allows a hacker to bypass the Sim lock Mode.

In a Proof of Concept video, he demonstrates that how an attacker can bypass the restricted section of the iPhone, when Sim Lock is enabled on a Stolen iPhone Device.

Flaw can be exploited without user interaction and successful exploitation results in the bypass of the SIM lock mode to the regular lock mode.

Follow Steps to bypass SIM Lock on stolen Devices:

Turn on your iPhone and ensure you have the iOS v7.0.1 or 7.0.2 installed and Sim Lock mode is activated.

You will see a black notification in the middle of the display - SIM Locked.

Open the Calendar, and scroll down to the two hyperlinks.

Press the Power button and wait 2 seconds and then press one of the two hyperlinks.

You will be redirected via hyperlink, because of the restriction to the passcode SIM lock.

Press Power button again for 3 seconds and then press the Home button

Click cancel again in the shutdown menu but hold the Home button.

Open up the Control center and go to the calculator. Now a message box appears automatically with the SIM lock

Press the shutdown button for 3 seconds + Unlock Key + Home button.

The Passcode screen will pop up, but you will be again redirected to Calculator.

Now again press the Power button for 3 seconds the and then press Cancel, at last press the Home button one time.

The Restricted Sim Lock Screen will disappear.

This flaw does not cover Regular Passcode bypass. For that attacker need to use other ways. Shortly after the iOS 7 release date earlier this month, users discovered a lock screen flaw that allowed users to use a simple exploit in order to view private details on the iPhone, iPad or iPod touch.

Apple worked quickly to fix the issue and rolled out iOS 7.0.2, an update aimed at adding Greek keyboard support and tackling the lock screen security flaw. But Just after that another Screen Lock Bypass bug appeared on the Internet. The growing number of iOS 7.0.2 problems are now frustrating iPhone and iPad users.

A German security firm SRL claims a vulnerability in Touch ID Fingerprint Scanner and iCloud allows a hacker to access a locked device and potentially gain control over an owner’s Apple ID.

SRL points out that Airplane mode can be enabled on a stolen phone from the lockscreen, which turns off wireless connectivity and so defeats the remote wipe facility.

This can be accessed without requiring a passcode, could be a major vulnerability when it comes to physically stolen devices.

In a video demonstration, they point out that while Apple lets users locate and remotely wipe a device using the Find My iPhone app.

Since Find My iPhone can only perform a wipe if a device is connected to the Internet, but because airplane mode will disable Internet Connectivity, that may give a thief enough time to get fingerprints off of the device and eventually log in. An attacker can create a fake fingerprint on a laminated sheet and later attached to one of their fingers, as already explained by another researcher.

SRLabs suggests several things Apple could do to mitigate the problem. These include making Airplane Mode inaccessible from the lockscreen by default, and warning people not to keep a password reset email account active on a mobile device.

The world of mobile search is about to get a bit more anonymous. Thanks to the fears over government surveillance and corporate tracking, Anonymous Search Engine DuckDuckGo continues to break its own search records.

DuckDuckGo Search & Stories - Android app deliver the same functionality as traditional services such as Google but with the added promise that your IP address and identity will not be recorded.

In June, Anonymous search engine DuckDuckGo had launched its app for iOS and Android and during recent update, DuckDuckGo's application for Android also integrated the Tor support.

“Privacy is perhaps more important on mobile than on the web, and we haven’t had many private alternatives,” DuckDuckGo founder Gabriel Weinberg said.

To enable Tor with DuckDuckGo android app, user need to Check "Enable Tor" from setting. It will prompt the user to install about application to anonymize the Mobile data communication.

As a search engine, DuckDuckGo has some other great features as well, but the support of the Anonymous Tor network is certainly something that many Privacy Concern users will appreciate.

Mobile Browsers are complicated applications and locking them down against threats is extremely difficult. According to a Mobile Security Researcher, Sebastián Guerrero from 'viaForensics', Android's Firefox browser app is vulnerable to Hackers.

He responsibly disclosed the details to Mozilla, that allows hackers to access both the contents of the SD card and the browser's private data.

He posted a video showing how hackers will be able to access data on the device. The flaw works only if a user install a malicious application or opened a locally stored HTML file in the vulnerable Firefox app that included malicious Javascript code.

Successful Exploitation allows attacker to access to files on the SD Card including all of users’ cookies, login credentials, bookmarks etc. This is a privacy issue and could be severe depending on what is stored there, including personal pictures and video, or data placed there by other applications.

Files are accessed through the standard “file://” URI syntax. Firefox encrypts the data stored in internal storage which is why hackers also introduce a third-party app which gets the encrypted keys stored on the device.

"However, to protect the most sensitive information, apps can place data in a separate location called internal storage, a private folder for each app that even the user is prevented from accessing directly (unless the device is rooted). The most significant threat from this vulnerability is that the secured location for Firefox is also accessible, which means a hacker will have access to cookies, login credentials, bookmarks, and anything else Mozilla think should be kept safely tucked away." Androidpolice blog explained.

We contacted Sebastián to get more details, please find a quick FAQ on the matter as follows:

Q. Can an attacker host the malicious Javascript code HTML file on a server to exploit the flaw remotely by making victim to visit the website only ?
A. The exploit cannot be executed by a remote web page. This flaw works only if you install an application, but there is another vulnerability in Firefox that could allow an attacker to install applications without user's knowledge. I disclosed it to the Firefox, but other researcher did the same before me.

But it's possible to host the malicious HTML file somewhere and using some social engineering , attacker can make victim to download and execute the file locally on their Firefox app.

Q. To steal the files from the victim's SD card, an attacker need to pre-define the file names or folder path in the exploit code ?
A. Nope, there is no need to specify the path, because I'm obtaining the salted folder generated by Firefox at runtime, due to a vulnerability. So I can make a copy of the SDcard, because the path will be always /sdcard, and for the private folder locates at /data/data/org.mozilla. Firefox, I'm obtaining at runtime the salted profile generated.

Q. Where and how stolen files will be uploaded ?
A. You can upload it where you want i.e. Using exploit code we are opening a socket connection against the remote FTP server to upload stolen files.

Q. Is there any CVE ID or Mozilla's Security Advisories ID defined for the Vulnerability yet ?A. As far as I know there isn't a CVE assigned to this vulnerability.

Mozilla has patched the vulnerability in patched in Firefox 24 for Android. Just few weeks back a Russian hacker put up a Zero-day Exploit for sale, that forces the Android Firefox browser to download and execute a malicious app.

It would be easy for someone who knows you or your love partner or your business partner to obtain your phone and call themselves from it to take advantage of this trick and they may only gain access to the Phone app.

Fixing this bug is pretty simple, Disable the Siri in Lockscreen by navigating to “Settings –> General –> Passcode –> Siri” and disable it there.

The Iranian group defeated the very basic phenomenon of an iPhone Fingerprinting scanner, which allows them to unlock an iPhone device with multiple Fingerprints.

Apple‘s iPhone 5s, was launched just available in stores two weeks before with a new feature of biometrics-based security system called "Touch ID", that involves analyzing a user’s fingerprint and using that to unlock the phone.

Apple launched the technology that it promises will better protect devices from criminals and snoopers seeking access. With this you can purchase things from the iTunes App Store. Basically, you can now use it in place of your password.

"Fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike," according to the Apple's website.

Another interesting fact is that, Touch ID is not only designed to scan the fingerprints of your fingers, it works with various human body parts and appendages which are also not fingers.

An Iranian group of iPhone Geeks from Tehran running a blog i.e. "i-Phone.ir" contacted 'The Hacker News' with another awesome Touch ID hack, shown that how they defeated the very basic phenomenon of Fingerprinting scanner i.e. "No two Fingerprints are exactly alike". (Greets to Bashir Khoshnevis , Mohsen Lotfi , Shayan Khabazian and other members of i-Phone.ir support team)

In a video demonstration, provided to The Hacker News, the Group set up a mixed Fingerprint scan of 5-6 people for an iPhone 5S handset (as shown in the video), which allowed all of them to unlock the locked device with their individual fingerprint.

According to Apple, the chance that Touch ID will misread a finger is 1 in 50,000 , this is because Touch ID is not designed to capture the fingerprint in strict mode. It scans the fingerprint on a very high-resolution (2400 dpi), to get and match the partial parts of an impression for faster unlocking.

If the iPhone is not able to scan the thumb impression in the strict mode to be unique, there is a possibility that out of 1000 thumb impressions iPhone's Touch ID system can count 2-3 impressions as of the same person.It could be a feature only if 5 different keys (fingers) are of the same person, but here we have 5 different people with the same key (finger), absolutely Touch ID is not a family key system that should work for Dad-Mom-sister and elder brother.

I asked my co-researchers "Wang Wie" and "Jiten Jain" to reproduce the hack, and it worked successfully for both and many times on latest IOS firmware 7.0.2 and iPhone users will not receive any patch soon for this.

Touch ID is intended to reduce the number of times a person must enter a passcode, but you should use Passcode to make sure no one else has access to your iPhone.

Earlier this morning, a new report came from a Chinese weblog, DoNews stating that Apple will introduce the new Touch ID in iPad mini 2.